ntkme
commented
5 months ago Looks like yesterday's node 20.12.2 is breaking our test on windows: https://github.com/nodejs/node/commit/69ffc6d50d
Closed ntkme closed 4 months ago
ntkme
commented
5 months ago Looks like yesterday's node 20.12.2 is breaking our test on windows: https://github.com/nodejs/node/commit/69ffc6d50d
ntkme
commented
5 months ago @nex3 I added a commit to fix the node regression.
Regarding CVE-2024-27980:
sass-embedded >=1.59.2 is not affected because in production release we always launch the dart.exe directly since this commit: https://github.com/sass/embedded-host-node/commit/308862033e00f7a28a83c3114941efb053c395f6sass-embedded <1.59.2 would be broken if a windows user upgrades to the latest node. There is no security risk for sass-embedded itself even if a windows user does not upgrade node, because we don't have any arguments when launching .bat, thus there is no risk of injection..bat wrapper in the test.
nex3
commented
5 months ago Can you pull the CVE fix into a separate PR?
ntkme
commented
5 months ago @nex3 Created a separate PR for the CVE: https://github.com/sass/embedded-host-node/pull/286
https://github.com/sass/sass/pull/3835 https://github.com/sass/dart-sass/pull/2220